Security Policies | WellWalla CISO

← Back to CISO

Security Posture Overview

Layer	Protection	Status
Network	Cloudflare DDoS, WAF	✓ Active
Transport	TLS 1.3, HTTPS everywhere	✓ Active
Application	WordPress security plugins	Review needed
Data at Rest	AWS EBS encryption	✓ Active
Access Control	Cloudflare Access (internal)	✓ Active
Secrets Management	1Password	✓ Active
Backup	Daily EBS snapshots, 35-day retention	✓ Active

Access Control Policy

Principle of Least Privilege

Users and systems receive only the minimum access required for their function.

Role	AWS Access	WP Admin	Databases
Chairman (Dave)	Full	Full	Full
AI CEO (DaVinci)	Read-only	TBD	Read/Write (local)
India Developer	None	Limited	None

Policy: No credentials shared via Telegram or unencrypted channels. Use 1Password for all credential sharing.

Data Classification

Classification	Examples	Handling
PHI (Protected)	Lab results, patient names, DOB	Encrypted, HIPAA controls, audit logged
Confidential	Wholesale prices, margins, credentials	Internal only, never public
Internal	Strategy docs, meeting notes	Employee access, org.wellwalla.com
Public	Website content, retail prices	No restrictions

HIPAA Security Requirements

Administrative Safeguards

Security Officer designated: CISO
Risk assessment: Pending formal documentation
Workforce training: Pending
Incident response plan: Pending

Technical Safeguards

Access controls: Implemented (Cloudflare Access)
Audit controls: CloudTrail enabled
Transmission security: TLS 1.3
Encryption: AES-256 at rest (AWS)

Physical Safeguards

AWS data centers: SOC 2 compliant
Mac Mini: Physical location secured

Incident Response

Severity Levels

Level	Description	Response Time
Critical	PHI breach, system compromise	Immediate (< 1 hour)
High	Service outage, failed security control	< 4 hours
Medium	Suspicious activity, policy violation	< 24 hours
Low	Security improvement opportunity	Next business day

Response Steps

Contain — Isolate affected systems
Assess — Determine scope and impact
Notify — Inform Chairman immediately for Critical/High
Remediate — Fix the vulnerability
Document — Record incident and lessons learned
Report — HIPAA breach notification if PHI involved (60 days)

Security Checklist

✅ SSL certificates on all domains
✅ Cloudflare DDoS protection
✅ Daily backups with 35-day retention
✅ 1Password for secrets management
✅ CloudTrail audit logging
⏳ WordPress security hardening review
⏳ MySQL security hardening
⏳ Formal risk assessment document
⏳ Employee security training program